Hi. I have two server with Windows Server 2008 version. For example AD-1(FSMO) and AD-2(slave)
Both GC (Global Catalog) in the same domain. The level of the Domain is 2008.
Since two days ago, every account that expires their password, get blocked by Directory Services.
In the blocked account i fund in the Event Viewer, in the Directory Services this warning (after some hours or an "gpupdate"):
--------------------------------------------------------------------------------------------------------------------------------------------------
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: "time"
Event ID: 1955
Task Category: Replication
Level: Information
Keywords: Classic
User: ANONYMOUS LOGON
Computer: AD-1(master)
Description:
Active Directory Domain Services encountered a write conflict when applying replicated changes to the following object.
object: CN=DOMAIN..etc.etc.. "User"..
Event log entries preceding this entry will indicate whether or not the update was accepted.
A write conflict can be caused by simultaneous changes to the same object or simultaneous changes to other objects that have attributes referencing this object. This commonly occurs when the object represents a large group with many members, and the functional level of the forest is set to Windows 2000. This conflict triggered additional retries of the update. If the system appears slow, it could be because replication of these changes is occurring.
---------------------------------------------------------------------------------------------------------------------------------------------------------
If you unlock the account it gets blocked after 4 or 5 minutes. Without reason. I didn't see any "acces failed attempts", in any AD or Exchange Server. Even when the user it's not logued in or using any service.
I did a 'dcdiag /v' and didn' t find anything. The replication simply works fine. I tried to create a .txt file in the sysvol directory, with a instant replication. I have discarded NTDS problem... Even did a ntdsutil metadata cleanup.
------------------------------------------------------------------Also i have this.....rare----------------------------------------------------
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 7/4/2016 10:54:24 AM
Event ID: 2887
Task Category: LDAP Interface
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: AD-1
Description:
During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection
This directory server is not currently configured to reject such binds. The security of this directory server can be significantly enhanced by configuring the server to reject such binds. For more details and information on how to make this configuration
change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
Summary information on the number of these binds received within the past 24 hours is below.
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2
or higher.
Number of simple binds performed without SSL/TLS: 19
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxx}" EventSourceName="NTDS LDAP" />
<EventID Qualifiers="32768">2887</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>16</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="TIME" />
<EventRecordID>9760</EventRecordID>
<Correlation />
<Execution ProcessID="788" ThreadID="972" />
<Channel>Directory Service</Channel>
<Computer>AD-2</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>19</Data>
<Data>0</Data>
</EventData>
</Event>